Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2022:1483-1

Опубликовано: 02 мая 2022
Источник: suse-cvrf

Описание

Security update for subversion

This update for subversion fixes the following issues:

  • CVE-2022-24070: Fixed a memory corruption issue in mod_dav_svn as used by Apache HTTP server. This could be exploited by a remote attacker to cause a denial of service (bsc#1197940).
  • CVE-2021-28544: Fixed an information leak issue where Subversion servers may reveal the original path of files protected by path-based authorization (bsc#1197939).

The following non-security bugs were fixed:

  • Skip failing test on s390[x] (bsc#1198503).

Список пакетов

SUSE Linux Enterprise Software Development Kit 12 SP5
libsvn_auth_gnome_keyring-1-0-1.10.6-3.6.1
subversion-1.10.6-3.6.1
subversion-bash-completion-1.10.6-3.6.1
subversion-devel-1.10.6-3.6.1
subversion-perl-1.10.6-3.6.1
subversion-python-1.10.6-3.6.1
subversion-server-1.10.6-3.6.1
subversion-tools-1.10.6-3.6.1

Описание

Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.


Затронутые продукты
SUSE Linux Enterprise Software Development Kit 12 SP5:libsvn_auth_gnome_keyring-1-0-1.10.6-3.6.1
SUSE Linux Enterprise Software Development Kit 12 SP5:subversion-1.10.6-3.6.1
SUSE Linux Enterprise Software Development Kit 12 SP5:subversion-bash-completion-1.10.6-3.6.1
SUSE Linux Enterprise Software Development Kit 12 SP5:subversion-devel-1.10.6-3.6.1

Ссылки

Описание

Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.


Затронутые продукты
SUSE Linux Enterprise Software Development Kit 12 SP5:libsvn_auth_gnome_keyring-1-0-1.10.6-3.6.1
SUSE Linux Enterprise Software Development Kit 12 SP5:subversion-1.10.6-3.6.1
SUSE Linux Enterprise Software Development Kit 12 SP5:subversion-bash-completion-1.10.6-3.6.1
SUSE Linux Enterprise Software Development Kit 12 SP5:subversion-devel-1.10.6-3.6.1

Ссылки
Уязвимость SUSE-SU-2022:1483-1